[righthand]

No the biggest churn involved is now I’m another engineer that prefers to stay away from using, developing on, and recommending javascript platforms.

To your point I think you will find most companies stop at the upgrade high sev packages step and do not have any requirements or churn related to checking for fallout from sevs.

[vdupras]

That's what I suspect as well, but this means that we can assume that there's a giganormous amount of development machines being compromised around the world. If you're a gig worker, you might be exposing your other customers, including those with okay security practices.

It seems crazy to me that there's this ostrich culture about security. I'm guessing the vibecoding fashion doesn't help. Supply chain attacks can only grow exponential from there, flee for your lives.